feat(broker): verify ed25519 hello signature against member pubkey

WS handshake is now authenticated end-to-end. The broker proves that
every connected peer actually holds the secret key for the pubkey
they claim as identity — not just that they know the pubkey.

wire format change:
  {type:"hello", meshId, memberId, pubkey, sessionId, pid, cwd,
   timestamp, signature}
  where signature = ed25519_sign(canonical, secretKey)
  and canonical = `${meshId}|${memberId}|${pubkey}|${timestamp}`

broker verifies on every hello:
1. timestamp within ±60s of broker clock → else close(1008, timestamp_skew)
2. pubkey is 64 hex chars, signature is 128 hex chars → else malformed
3. crypto_sign_verify_detached(signature, canonical, pubkey) → else bad_signature
4. (existing) mesh.member row exists for (meshId, pubkey) → else unauthorized

All rejection paths close the WS with code 1008 + structured error
message + metrics counter increment (connections_rejected_total by
reason).

new modules:
- apps/broker/src/crypto.ts: canonicalHello, verifyHelloSignature,
  HELLO_SKEW_MS constant
- apps/cli/src/crypto/hello-sig.ts: matching signHello helper

clients updated:
- apps/cli/src/ws/client.ts: signs hello before send
- apps/broker/scripts/{peer-a,peer-b}.ts (smoke-test): sign hellos
  with seed-provided secret keys

new regression tests — tests/hello-signature.test.ts (7):
- valid signature accepted
- bad signature (signed with wrong key) rejected
- timestamp too old rejected (>60s)
- timestamp too far in future rejected (>60s)
- tampered canonical field (different meshId at verify time) rejected
- malformed hex pubkey rejected
- malformed signature length rejected

verified live:
- apps/broker/scripts/smoke-test.sh: full hello+ack+send+push flow
- apps/cli/scripts/roundtrip.ts: signed hello + encrypted message
- 55/55 tests pass

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/cli/src/ws/client.ts

@@ -20,6 +20,7 @@ import {
   encryptDirect,
   isDirectTarget,
 } from "../crypto/envelope";
+import { signHello } from "../crypto/hello-sig";
 
 export type Priority = "now" | "next" | "low";
 export type ConnStatus = "connecting" | "open" | "closed" | "reconnecting";
@@ -97,21 +98,36 @@ export class BrokerClient {
     this.ws = ws;
 
     return new Promise<void>((resolve, reject) => {
-      const onOpen = (): void => {
-        this.debug("ws open → sending hello");
-        ws.send(
-          JSON.stringify({
-            type: "hello",
-            meshId: this.mesh.meshId,
-            memberId: this.mesh.memberId,
-            pubkey: this.mesh.pubkey,
-            sessionId: `${process.pid}-${Date.now()}`,
-            pid: process.pid,
-            cwd: process.cwd(),
-            signature: "stub", // libsodium sign_detached lands in Step 18
-            nonce: randomNonce(),
-          }),
-        );
+      const onOpen = async (): Promise<void> => {
+        this.debug("ws open → signing + sending hello");
+        try {
+          const { timestamp, signature } = await signHello(
+            this.mesh.meshId,
+            this.mesh.memberId,
+            this.mesh.pubkey,
+            this.mesh.secretKey,
+          );
+          ws.send(
+            JSON.stringify({
+              type: "hello",
+              meshId: this.mesh.meshId,
+              memberId: this.mesh.memberId,
+              pubkey: this.mesh.pubkey,
+              sessionId: `${process.pid}-${Date.now()}`,
+              pid: process.pid,
+              cwd: process.cwd(),
+              timestamp,
+              signature,
+            }),
+          );
+        } catch (e) {
+          reject(
+            new Error(
+              `hello sign failed: ${e instanceof Error ? e.message : e}`,
+            ),
+          );
+          return;
+        }
         // Arm the hello_ack timeout.
         this.helloTimer = setTimeout(() => {
           this.debug("hello_ack timeout");